03-19-2022 , 02:35 PM
Quote:Microsoft released a scanner that detects MikroTik routers hacked by the TrickBot gang to act as proxies for command and control servers.
TrickBot is a malware botnet distributed via phishing emails or dropped by other malware that has already infected a device. Once executed, TrickBot will connect to a remote command and control server to receive commands and download further payloads to run on the infected machine.
For years, TrickBot has used IoT devices, such as routers, to act as a proxy between an infected device and command and control servers (C2). These proxies are used to prevent researchers and law enforcement from finding and disrupting their command and control infrastructure.
In a new report by Microsoft, researchers explain how the TrickBot gang targeted vulnerable MikroTik routers using various methods to incorporate them as proxies for C2 communications.
Routing malicious traffic
The TrickBot operations utilized various methods when hacking into MikroTik routers, starting with using default credentials and then performing brute force attacks to guess the password.
If these initial methods did not provide access to the router, the threat actors would attempt to exploit CVE-2018-14847, a critical directory traversal vulnerability that allows unauthenticated, remote attackers to read arbitrary files. Using this vulnerability, the threat actors would steal the 'user.dat' file, which contains the user credentials for the router.
Once they gained access to the device, the threat actors used built-in '/ip', '/system', or '/tool' commands to create a network address translation (NAT) rule that rerouted traffic sent to port 449 on the router to port 80 on a remote command and control server.
Continue reading HERE